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(54) A mechanism for enabling secure electronic transactions on the open internet 



(57) A method is provided for performing a transac- 
tion that is initiated over an open communication net- 
work between a user and a remotely located server. The 
open communication network may be the Internet, for 
example. In accordance with one embodiment of the 
method, a transaction identification number is received 
from the remotely located server over the open network 
and subsequently, communication between the user 
and the remotely located server is discontinued. Com- 
munication is established between the user and a trans- 
action server. The transaction server is operatively 
coupled to the user and the remotely located server 
over a communication network which is isolated from 
the open network. The transaction identification number 
is transmitted to the transaction server over the commu- 
nication network. After the transaction server confirms 
the validity of the transaction identification number, in 
response to a request from the transaction server, a 
transaction authorization number is transmitted over the 
communication network to the transaction server to 
complete the transaction. 



FIG. 1 



ISOLATED TRUSTED 
DIRECTORY SERVER 



19 



PROPRIETARY 
SECURE 
PROTOCOL 



TRANSACTION J 
SERVER 

i — 1 1^ 



-18 



(MERCHANT) 
WEB SERVER 




Q- 
LU 



Printed by Xerox (UK) Business Services 
2.15.3/3.4 



BNSDOCID: <EP 0813325A2_L> 



1 

Description 
Held of the Invention 

This invention relates generally to a method for per- 
forming secure transactions on open communication 
networks and, in particular, to a method and apparatus 
for performing transactions such as purchases over the 
World Wide Web. 

Bgckground of the Invention 

Open public networks such as the Internet, and In 
particular the World Wide Web, have undergone tre- 
mendous growth as a distribution channel for busi- 
nesses These businesses typically provide an Internet 
site to promote one or more products or services. Of 
course, it would be convenient if customers could actu- 
ally complete a transaction and purchase a product or 
service ovet the internet However, it is currently difficult 
to secure data traffic that traverses the Internet because 
the Internet is an open environment with no guarantees 
of data prrvacy and thus a third party can access or alter 
the data as it is in transit Consequently sensitive data 
such as credit card numbers cannot be transmitted over 
the Internet with adequate assurances of security. 

A variety of techniques have been explored to 
secure data on the Internet. Many of these techniques 
involve data encryption which may provide adequate 
security for a limited time. However, encryption tech- 
niques are continuously in jeopardy of being broken 
because technologies to break encryption schemes are 
being developed as rapidly as the encryption tech- 
niques themselves and because the computing power 
and communication systems needed for decryption are 
fast becoming ubiquitous and cheap. Moreover, in addi- 
tion to the technological problems of providing security 
on the Internet, there is a large socio-cultural impedi- 
ment to performing electronic transactions on the Inter- 
net simply because people question its security. 
Accordingly, it would be desirable to provide a conven- 
ient method for performing a reasonably secure trans- 
action over the Internet. 

Summary of the Invention 

The present invention provides a method for per- 
forming a transaction that is initiated over an open com- 
munication network between a user and a remotely 
located server. The open communication network may 
be the Internet, for example. In accordance with one 
embodiment of the method, a transaction identification 
number is received from the remotely located server 
over the open network and subsequently, communica- 
tion between the user and the remotely located server is 
discontinued. Communication is established between 
the user and a transaction server. The transaction 
server is operatively coupled to the user and the 
remotely located server over a communication network 
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which is isolated from the open network. The transac- 
tion identification number is transmitted to the transac- 
tion server over the communication network. After 
confirming the validity of the transaction identification 

5 number, the transaction server requests a transaction 
authorization number. In response to this request, a 
transaction authorization number is transmitted over the 
communication network to the transaction server to 
complete the transaction. 

10 The transition in communication between the 
remotely located server and the transaction server may 
occur automatically upon a request from the user to 
complete the transaction. Accordingly, the user can per- 
form a secure transaction in an extremely convenient 

is manner. 

Brief Description of the Drawings 

FIG. 1 shows an example of a system constructed 
20 in accordance with the present invention which is incor- 
porated into the World Wide Web. 

FIG. 2 shows a flow diagram illustrating one 
embodiment of the process used to purchase an item 
from the World Wide Web in accordance with the 
25 present invention. 

Detailed Description 

The present invention allows an individual to 

30 browse the open World Wide Web (WWW) and in a 
seamless manner perform secure transactions over a 
secure electronic communication medium that is iso- 
lated from the WWW. Such secure communications 
media are often employed by banks, for example, to 

35 allow customers to perform home banking over a per- 
sonal computer. These secure communication media 
typically employ an encrypted proprietary protocol oper- 
ating over a telephone link (i.e., a circuit switched POTS 
connection). FIG. 1 shows an example of a system in 

40 accordance with the present invention which is incorpo- 
rated into the WWW. 

A personal computer 1 0 or other data processing 
device is coupled to the open Internet 12, and in partic- 
ular the WWW, via an Internet provider gateway 1 4. The 

45 computer 10 interfaces with the gateway 14 via an 
input/output device 16 that typically includes a modem. 
The computer 10 may be employed by a user to search 
the WWW with a web browser in a conventional manner 
and communicate with a remotely located server 1 8 that 

so may represent, for example, a vendor advertising a 
product or service. Examples of web browsers include 
Netscape's Navigator and Microsoft's Internet Explorer, 
for example. 

Currently, if the user desires to purchase the prod- 
55 uct or service from the vendor, the user provides a credit 
card number over the network, thus potentially allowing 
a third party access to the card number, even if an 
encryption technique is employed. In accordance with 
the present invention, however, this problem is avoided 
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because sensitive data is never transmitted over the 
open WWW. Rather, in response to the user's request to 
make a purchase, the vendor 18 transmits a purchase 
order number both to the user 10 over the WWW and to 
a transaction server 19 that is isolated from the Internet. 
The vendor 18 communicates with the transaction 
server 19 over any desired communication system 11 
that is isolated from the Internet. This system 1 1 may 
employ a proprietary protocol that operates over a tele- 
phone link such as any of those conventionally used for 
banking. 

The user subsequently pays for the purchase by ini- 
tiating communication between the computer 10 and 
the transaction server 19 over another communication 
system 13 that is isolated from the WWW and which 
also may employ a proprietary protocol operating over a 
telephone link. The user provides the purchase order 
number to the transaction server 19 and proceeds to 
complete the purchase by providing a credit number. 
Since the transaction server 19 is isolated from the 
open WWW the inherent risks of communicating sensi- 
tive information is avoided. The transaction between the 
user and the transaction server has a degree of security 
at least equivalent to the security provided by a conven- 
tional telephone and preferably to the level of security 
provided by proprietary home banking, tax filing, or bill 
paying communication systems. A system employing a 
proprietary protocol to transmit data over the telephone 
system is advantageous because consumers by and 
large believe that transmitting sensitive data in this man- 
ner (by speaking or faxing the data, for example) is 
secure. Support for this belief is provided by the suc- 
cess of on-line banking, tax filing and bill paying sys- 
tems. 

It should be noted that the term "isolated" as used 
herein refers to isolation with respect to information 
transport and not physical isolation. For example, por- 
tions of the communications system 13 and the Internet 
1 2 may share the same physical links such as the user s 
local telephone line. However, the communication sys- 
tem 13 and the Internet 12 do not communicate with 
one another. 

In accordance with one aspect of the invention, the 
user is provided with software to be executed on the 
computer 1 0 which automatically performs the transition 
in communication from the WWW 1 2 to the transaction 
server 19 so that the details involved are invisible to the 
user. That is, when the user wishes to place an order, 
there is no need to manually disconnect from the WWW 
12 and initiate communication with the transaction 
server 19 over the isolated communication system. 
Rather, the software residing in the computer 10 per- 
forms the transaction so that the user may even be una- 
ware that the computer 10 has disconnected from the 
WWW and initiated communication with another net- 
work. 

FIG. 2 shows a flow diagram illustrating one 
embodiment of the process used to purchase an item 
from the WWW in accordance with the present inven- 
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tion. Each block in FIG. 2 identifies the operations to be 
performed by the personal computer to provide the 
functionality contemplated by the present invention. It 
should be noted that the operations performed by the 

5 computer may be implemented programically by soft- 
ware residing on the computer or by direct electrical 
connections through customized integrated circuits or 
by a combination of both. 

The process begins in step 200, in which communi- 

io cation is established between the computer and the 
WWW in a conventional manner. The user browses 
public sites on the WWW and ultimately decides to pur- 
chase a product or service from a vendor. The user s 
computer receives the purchase order number in step 

15 209 of FIG. 2. The vendor generates a purchase order 
number in response to the user's request and transmits 
the order number to both the transaction server and the 
user's computer 10. The vendor directs the user to con- 
tact the appropriate transaction server and may addi- 

20 tionally provide the user with the server's telephone 
number, which may, for example, be an 800 number. 
The telephone number may be unique to the particular 
transaction server or it may be unique to both the trans- 
action server and the vendor (so that each transaction 

25 server can receive requests in connection with different 
vendors each having a unique telephone number). 
Moreover, the present invention contemplates the provi- 
sion of a plurality of transaction servers as demand war- 
rants and in some cases vendors may work in 

30 cooperation with more than one transaction server. 

In step 201 communication between the WWW and 
the computer is suspended by either discontinuing the 
communication session or by placing the connection to 
the WWW in a hold state via a three-way calling service. 

35 In step 203 the computer establishes communication 
with the transaction server over the secure network. As 
previously noted, the vendor may provide the user with 
the appropriate telephone number. This may be accom- 
plished in a simple manner by having the vendor display 

40 the telephone number on its web page. However, this 
scheme may not be sufficiently secure because a third 
party could potentially alter the telephone number while 
it is being transmitted from the server to the user, 
thereby fraudulently obtaining the user's credit card 

45 number by having the user call a telephone number 
accessible to the third party. 

In yet another alternative embodiment of the inven- 
tion, the telephone number of the transaction server 
may be locally stored in the computer or, alternatively, 

so the user may retrieve the appropriate telephone number 
from a directory located in the secure communication 
system which includes the transaction server. The tele- 
phone number of the directory may be stored in the 
computer or it may be provided by the vendor. The 

55 directory may reside on the transaction server itself or it 
may reside in another component in communication 
with the secure system. In one particular embodiment of 
the invention, the computer first uses the Universal 
Resource Locator (URL) of the vendor and attempts to 
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retrieve the phone number for its transaction server 
from a locally stored directory. If the number is not 
found, the computer automatically dials the directory 
located on the secure network and downloads the 
appropriate telephone number, rf the telephone number 5 
is still not found, the computer prompts the user to pro- 
vide the appropriate number. Finally, if the number is 
unavailable, the attempted transaction is aborted and 
the computer returns to vendors site on the WWW, 
which had been on hold. In this situation customer serv- 70 
ice should be called. 

Returning to step 203, after communication has 
been established with the transaction server, the user 
provides the server with the purchase order number in 
step 202. The transaction server locates the purchase 15 
order and may echo to the user a list of the products or 
services to be purchased. The user approves the pur- 
chase and in step 204 provides a credit card number to 
complete the transaction. Once the transaction between 
the computer and the transaction server is complete, 20 
the computer ends the communication session with the 
transaction server in step 205 and resumes communi- 
cation with the WWW in step 207. The transaction 
server subsequently transmits the completed order 
back to the vendor or directly to a shipping department. 25 

In one embodiment of the invention, the communi- 
cation session between the computer 10 and the trans- 
action server is configured to appear to the user as a 
WWW communication session. That is, the interface 
between the computer 10 and the transaction server is 30 
designed to function in a format similar to a WWW 
browser so that the user is virtually unaware that the 
computer has suspended communication on the WWW 
and initiated communication over a secure network iso- 
lated from the WWW. From the user's perspective this 35 
advantageously simplifies the task of purchasing an 
item over the WWW in a relatively secure manner. 

In accordance with one aspect of the invention, the 
purchase order number provided to the user may be 
randomly generated by the vendor s server. This feature 40 
prevents unauthorized users from dialing in to the trans- 
action server and attempting to access orders by trying 
arbitrary purchase order numbers. Additionally, the 
transaction server can limit the user to a predetermined 
number (e.g. three) of incorrect order numbers before 45 
terminating the connection. 

In the embodiment of the invention discussed in 
connection with FIG. 2, the user's computer 10 initiated 
contact with the transaction server, as opposed to the 
transaction server initiating contact with the user. While so 
the present invention encompasses both procedures, 
the former procedure is advantageous because if the 
latter procedure is used, an unauthorized party on the 
open Internet could detect a message from the user to 
the vendor requesting a return call for credit card 55 
authorization. This party could then call the user, thus 
emulating the transaction server to fraudulently acquire 
the user's credit card number. 

It will be appreciated that those skilled in the art will 
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be able to devise numerous arrangements which, 
although not explicitly shown or described herein, 
embody the principles of the invention. Accordingly, all 
such alternatives, modifications and variations which fall 
within the spirit and broad scope of the appended 
claims will be embraced by the principles of the inven- 
tion. For example, while the invention has been 
described in connection with FIGS. 1 and 2 as a method 
for completing a transaction on the Internet, the inven- 
tion is more broadly applicable to a method for complet- 
ing a transaction on other open communication systems 
as well. 

Claims 

1 . A method for performing a transaction initiated over 
an open communication network between a user 
and a remotely located server, comprising the steps 
of: 

a. receiving a transaction identification number 
from the remotely located server over the open 
network; 

b. discontinuing communication between said 
user and said remotely located server; 

c. establishing communication between said 
user and a transaction server, said transaction 
server being operatively coupled to said user 
and said remotely located server over a com- 
munication network isolated from said open 
network; 

d. transmitting said transaction identification 
number to said transaction server over said 
communication network; 

e. after the transaction server confirms validity 
of the transaction identification number, trans- 
mitting over said communication network, in 
response to a request from said transaction 
server, a transaction authorization number to 
said transaction server to complete the trans- 
action. 

2. The method of claim 1 wherein steps (b) and (c) 
occur automatically in response to a request from 
said user to complete the transaction. 

3. The method of claim 2 wherein steps (b) and (c) 
occur in a manner substantially transparent to said 
user. 

4. The method of claim 1 wherein communication over 
said communication network between said user 
and said transaction server employs an encrypted 
protocol at least in part operating over a telephone 
link. 

5. The method of claim 1 wherein said open network 
comprises the Internet. 
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6. The method of claim 5 wherein said open network 
comprises the world wide web. 

7. The method of claim 1 wherein said user is in com- 
munication with said remotely located server and 
said transaction server over a personal computer. 

8. The method of claim 1 wherein said remotely 
located server is employed by a vendor to advertise 
on the open network. 

9. The method of claim 8 wherein said transaction 
comprises a purchase. 

10. The method of claim 9 wherein said transaction 
authorization number is a credit card number. 

11. The method of claim 1 wherein step (a) further 
comprises the step of receiving from said remotely 
located server a telephone number of said transac- 
tion server. 

12. The method of claim 1 wherein step (b) includes the 
step of suspending communication between said 
user and said remotely located server by placing 
said remotely located server in a hold state. 

13. The method of claim 1 wherein said communication 
in step (c) is initiated by said user. 

14. The method of claim 13 wherein said user initiates 
communication with said transaction server by per- 
forming the step of retrieving a locally stored tele- 
phone number of said transaction server. 

15. The method of claim 13 wherein said user initiates 
communication with said transaction server by 
retrieving a telephone number from a directory 
located in said communication network. 

16. The method of claim 6 wherein said transaction is 
initiated by the user using a World Wide Web 
browser 

17. The method of claim 1 further comprising the steps 
of: 

f. discontinuing communication between said 
user and transaction server; 

g. subsequently resuming communication 
between said user and said remotely located 
server. 

18. The method of claim 17 wherein steps (f) and (g) 
occur automatically after completion of step (e). 

19. A computer readable medium having a computer 
program encoded thereon for performing a transac- 
tion initiated over an open communication network 
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between a user and a remotely located server, 
comprising: 

a first portion of said medium having a first pro- 
s gram segment for receiving a transaction iden- 

tification number from the remotely located 
server over the open network; 
a second portion of said medium having a sec- 
ond program segment for discontinuing corn- 
to munication between said user and said 
remotely located server; 
a third portion of said medium having a third 
program segment for establishing communica- 
tion between said user and a transaction server 
is over a communication network isolated from 
said open network; 

a fourth portion of said medium having a fourth 
program segment for transmitting said transac- 
tion identification number to said transaction 

20 server over said communication network; 

a fifth portion of said medium having a fifth pro- 
gram segment for transmitting over said com- 
munication network, after the transaction 
server confirms validity of the transaction iden- 

25 tification number and in response to a request 

from said transaction server, a transaction 
authorization number to said transaction server 
to complete the transaction. 

30 20. The medium of claim 19 wherein said second and 
third program segments are automatically executed 
in response to a request from said user to complete 
the transaction. 

35 21. The medium of claim 20 wherein said second and 
third program segments are executed in a manner 
substantially transparent to said user. 

22. The medium of claim 19 wherein said third, fourth, 
40 and fifth program segments employ an encrypted 

protocol operating at least in part over a telephone 
link. 

23. The medium of claim 1 9 wherein said open network 
45 comprises the Internet. 

24. The medium of claim 23 wherein said open network 
comprises the World Wide Web. 

so 25. The medium of claim 19 wherein said remotely 
located server is employed by a vendor to advertise 
on the open network. 

26. The medium of claim 25 wherein said transaction 
55 comprises a purchase. 

27. The medium of claim 26 wherein said transaction 
authorization number is a credit card number. 
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28. The medium of claim 19 wherein said first program 
segment further receives from said remotely 
located server a telephone number of said transac- 
tion server. 

29. The medium of claim 19 wherein said second pro- 
gram segment suspends communication between 
said user and said remotely located server by plac- 
ing said remotely located server in a hold state. 

30. The medium of claim 19 wherein said third program 
segment initiates communication between said 
user and said transaction server. 

31 . The medium of claim 30 wherein said third program is 
segment initiates communication with said transac- 
tion server by retrieving a locally stored telephone 
number of said transaction server from a sixth por- 
tion of said medium. 

20 

32. The medium of claim 30 wherein said third program 
segment initiates communication with said transac- 
tion server by retrieving a telephone number from a 
directory located in sard communication network. 

25 

33. The medium of claim 24 further comprising a sixth 
portion of said medium having a sixth program seg- 
ment for browsing on the World Wide Web. 

30 
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